ietf-asrg
[Top] [All Lists]

Re: [Asrg] article: port 25 blocking

2005-04-12 08:13:45
George Ou wrote:

Permitting only legitimate SMTP
servers via SenderID lookup follows the "least privileges" rule and is a
much more effective ACL.  Anyone who blocks all non-SPF compliant messages
blocks all illegitimate SMTP servers using a database (public DNS records)
that they don't need to personally manage.  Creating or managing a massive
database of non-SMTP servers is totally impractical.

Port 25 blocking is also a least privileges model. Consumer ISPs block all outgoing port 25, then punch a few holes in the firewall for their own mail servers and the few customers that request an exemption. Sounds quite manageable to me.

What makes you think that it takes "ALL domains" to implement SPF?  Just the
top 50 domains in the world alone implementing it would pretty much force
the entire world to comply unless they don't care for their messages to be
delivered to the 50 largest domains.  Do you honestly believe you can get
all ISPs and hotspots to manage a much larger non-SMTP server ACL?

I think you just answered your own question. In summary you are saying that if the large domains require SPF then everyone will be forced to put SPF records in for any domain that sends email. So you are in fact saying that yes, everyone will be forced to implement SPF records in your scheme. I submit that no ISP is willing to risk the loss of requiring SPF because doing so would lose a vast amount of legitimate email. In the current environment at best you would be able to get sites to reject on SPF hard fail, but that wouldn't achieve your goal. It's a chicken and egg problem that I don't think any ISP in their right might would go along with.

Your blog says that port 25 blocking is controversial with users. I submit that it is controversial to a miniscule number of users. On the other hand, requiring an SPF pass on all incoming email right now would cause huge amounts of legitimate mail to be blocked. How controversial do you think that will be? Already we have a number of respected anti-spammers who are quite opposed to SPF because hard fails are occasionally false positives. You're gonna have people bouncing off the walls if you reject soft fail and unknown status and only allow SPF pass messages.

Implementing port 25 blocking also requires significant work, but the downside is limited to only a few people. Also the number of consumer ISPs is much smaller than the number of email domains out there. If you got the top 50 consumer ISPs to implement port 25 blocking, then nobody else has to do anything at all and you'll probably be at least 80% of the way done in terms of number of zombies no longer effective.

A number of large consumer ISPs have already implemented it with only a few grumbles about it. Consumer ISPs which implement it will see an immediate reduction of complaints coming into their abuse mailbox, and only have a handful of users who will need to make a change. That sounds a heck of a lot more manageable than forcing everyone to implement SPF records and having tons of legitimate mail rejected until everyone complies.

--
James Lick -- 黎建溥 -- jlick(_at_)jameslick(_dot_)com -- http://jameslick.com/

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg